Stephen Crawley (Migrated from SEC-1305) said:
Problem: I was using OpenID with SpringSecurity for the first time, and trying to authenticate using Google as the OpenID provider. It wouldn't work and there was not enough information in the log files (debug enabled) to figure out why.
After poking around and hacking the code to display some exception stacktraces, I narrowed it down to a problem in "org.openid4java.yadis.YadisResolver". In older version of this library, the "parseXrds" method had a bug that caused it to throw YadisException("XRDS stream exceeds max allowed size: " + ...) when the response was longer than 1000 or so. The actual allowed size is 10,000. Unfortunately, this message does not show up in the logs because the exception has been wrapped a couple of times before it reaches the code that logs a "consumer error".
For the record, the lines of code that cause the problem are 459 to 464 of YadisResolver.java (version 0.9.4):
Notice how the code assumes that a call to "read(byte)" will fill the buffer!
This is fixed in version 0.9.5, so the suggested fix for SpringSecurity is to change the dependencies in the OpenID module to openid4java 0.9.5.
Luke Taylor said:
This isn't really a major bug, as you are the problem you report is in OpenID4Java. We are already using 0.9.5 in the trunk (and the 3.0.x releases) and users of earlier Spring Security versions can easily upgrade their builds to the lastest OpenID version.